dan/liminix
1
0
Fork 5
Code

new fn append-path in anoia

Browse Source 
complains if you try to ../../../
This commit is contained in:
Daniel Barlow 2024-12-11 17:26:44 +00:00
parent 13087d17e3
commit ac8b971cc0
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkgs/anoia/init.fnl
View File

@ -28,6 +28,18 @@
(fn dirname [path] (fn dirname [path]
(string.match path "(.*)/[^/]-$")) (string.match path "(.*)/[^/]-$"))
(fn append-path [dirname filename]
(let [base (or (string.match dirname "(.*)/$") dirname)
result []]
(each [component (string.gmatch filename "([^/]+)")]
(if (and (= component "..") (> (# result) 0))
(table.remove result)
(= component "..")
(error "path traversal attempt")
true
(table.insert result component)))
(.. base "/" (table.concat result "/"))))
(fn system [s] (fn system [s]
(match (os.execute s) (match (os.execute s)
res (do (print (.. "Executed \"" s "\", exit code " (tostring res))) res) res (do (print (.. "Executed \"" s "\", exit code " (tostring res))) res)
@ -65,6 +77,16 @@
(expect (not (table= {:a [4 5 7 6] } {:a [4 5 6 7 ]}))) (expect (not (table= {:a [4 5 7 6] } {:a [4 5 6 7 ]})))
(expect (table= {} {})) (expect (table= {} {}))
(let [traps (fn [b p]
(match (pcall append-path b p)
(true f) (error "didn't trap path traversal")
(false err) (expect (string.match err "path traversal"))))]
(expect= (append-path "/tmp" "hello") "/tmp/hello")
(expect= (append-path "/tmp/" "hello") "/tmp/hello")
(traps "/tmp/" "../hello")
(expect= (append-path "/tmp/" "hello/../goodbye") "/tmp/goodbye")
(traps "/tmp/" "hello/../../goodbye"))
) )
(fn dig [tree path] (fn dig [tree path]
@ -206,6 +228,7 @@
{ {
: append-path
: assoc : assoc
: base64 : base64
: base64url : base64url

6
pkgs/watch-ssh-keys/watch-ssh-keys.fnl
View File

@ -1,4 +1,4 @@
(local { : system : assoc : split : dup : table= : dig } (require :anoia)) (local { : system : assoc : split : dup : table= : dig : append-path } (require :anoia))
(local svc (require :anoia.svc)) (local svc (require :anoia.svc))
(import-macros { : define-tests : expect : expect= } :anoia.assert) (import-macros { : define-tests : expect : expect= } :anoia.assert)
@ -13,14 +13,14 @@
(when (not (table= old-tree new-tree)) (when (not (table= old-tree new-tree))
(io.stderr:write "new ssh keys\n") (io.stderr:write "new ssh keys\n")
(each [username pubkeys (pairs new-tree)] (each [username pubkeys (pairs new-tree)]
(with-open [f (assert (io.open (.. path "/" username) :w))] (with-open [f (assert (io.open (append-path path username) :w))]
;; the keys are "1" "2" "3" etc, so pairs not ipairs ;; the keys are "1" "2" "3" etc, so pairs not ipairs
(each [_ k (pairs pubkeys)] (each [_ k (pairs pubkeys)]
(f:write k) (f:write k)
(f:write "\n"))))) (f:write "\n")))))
(each [k v (pairs old-tree)] (each [k v (pairs old-tree)]
(when (not (. new-tree k)) (when (not (. new-tree k))
(os.remove (.. path "/" k)))) (os.remove (append-path path k))))
new-tree) new-tree)
(define-tests (define-tests